The state of external access to my Horizon 6 Enterprise lab has been in flux for a while. I’ve used Duo Security to provide two-factor authentication for a bit, but as I transitioned from a straight WAN -> DMZ NAT using a View Security Server to proxying all of my incoming traffic through an F5 LTM Lab Edition virtual appliance using APM, I found myself on the hunt again.

I would have stuck it out with Duo – it’s a great service and provided fully-featured and free of charge for up to 10 users, but I couldn’t make it work with APM. After a fair bit of research, I landed on WiKID Systems. It, like Duo, met my three most basic requirements, which are an iOS-based soft token so I can just use my iPhone for authentication, RADIUS authentication, and it was free.

Before I started, I had already configured my firewall to pass all View-related traffic to a virtual IP on my F5 VM in my DMZ (443/TCP, 80/TCP, 4172/TCP, 4172/UDP). The View 1.2 iApp was deployed on the F5, and it was configured so I could access everything internally without being proxyed, while everything external was proxyed via APM. Connectivity worked both natively using the Horizon View Client, as well as via the webtop.

I’ll pick up where I have my appliance deployed and initial configuration (certificates installed, registered with WiKID Systems, available externally on 80/TCP, etc.) complete.

1. Logged in to the WiKID Admin Console, click Domains, then Create A New Domain.

2. Give your new domain a Name, Device Domain Name, Server Code (this is the external IP address used for WiKID, must be 12 digits, fill in 0s if need be – example below is for 1.1.1.1), and the rest of the configuration. The defaults were fine with me. Click Create when finished.

4. A new page will pop up with the Visual Policy Editor for your View Access Policy. First, click the + to the left of the AD View Client Logon. This is for the VMware View client type.

5. Choose VMware View Logon Page, and then click Add Item.

6. A window will pop up, prompting for configuration of the logon page. Configure the following, and click Save when finished.

VMware View Logon Screen – RADIUS

VMware View Windows Domains – Blank

VMware View RADIUS Auth Label – I don’t know if this makes a difference – I just supplied Wikid.

The rest you can leave at defaults. I made sure I called out that this was WiKID auth in the UI.

7. On the VPE, click the + to the right of the new VMware View Logon Page.

8. On the Authentication tab, choose RADIUS Auth, and then click Add Item.

9. A window will pop up, prompting for configuration of the RADIUS Auth. Configure the following, and click Save when finished.

AAA Server – This will be the RADIUS AAA Server configured earlier.

Show Extended Error – Default

Max Logon Attempts Allowed – 3 to match the rest of the policies.

End to end, the View Client authentication should look something like this (Disclaimer isn’t necessary):

10. Back on the VPE, click the + to the left of the Browser Logon Page. This is for the Full or Mobile Browser client type.

11. Choose Logon Page, and then click Add Item.

12. Configure similarly to that below. The only things I changed here were the Form Header Text and Logon Page Input Field #1 and #2, and these were for aesthetic reasons. The rest of the form is default. Click Save when finished.

13. Click the + to the right of your new Logon Page.

14. Repeat steps 8 and 9 above for the new RADIUS Auth. The only difference will be that you have to give it a unique name.

End to end, the Browser authentication should look something like this (Disclaimer isn’t necessary):